Keith has access to SECURITY-519 in the Jenkins issue tracker using his account 'prospero238'. That issue contains complete steps that allow a regular user with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, just as stated in the advisory.
In cases of very serious security vulnerabilities, such as this one, we suspend distribution of plugins so they are no longer available on Jenkins update sites. I did that here. This will remain until the issue is resolved to the satisfaction of the Jenkins security team. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKa5j0cEcFit6fCqTEcbpNG8dh9ZU8CnDFbPxhXujJ9tA%40mail.gmail.com.
